Channels

Services

Gopher problem in Squid

The developers of the Squid web cache and proxy have fixed a hole in the code for processing Gopher responses. Gopher is a predecessor of the world wide web and is very rarely used nowadays.

If a Gopher server returned a line that was more than 4096 characters long, this caused a buffer overflow in Squid. The Squid developers' advisory says that this "usually" crashes Squid. The authors neglect to comment on whether the hole can be exploited to inject and execute code although usually, this is the case.

Most 3.x versions of Squid are affected. The developers have provided updated packages that no longer contain the flaw. As a workaround, access to Gopher URLs can also be denied via ACL: